Brandishing new authority thanks to the Dodd-Frank Act, the SEC was quick to act on an agenda item that had been on the table for 30 years. Yesterday, the SEC approved a ‘Proxy Access’ rule that allows shareholders to place nominations for board member seats on the annual proxy ballot of public companies. The rule applies to shareholder groups who have owned greater than 3% of a public company’s stock for at least 3 years.

SEC Chairman Mary Shapiro succeeded where her two predecessors had failed in gathering a 3-2 vote in favor of the rule which was divided along party lines as both Republican members objected. While this is a win for investor groups who now have increased influence over board make-up, there are no provisions in the rule for smaller, individual investors who own less than 3% of the stock and have held the stock for less than 3 years.

One thing that is certain, the new rule reflects the anger and backlash of shareholders who feel that boards of directors were not acting in the shareholders’ best interest when taking highly leveraged and risky positions that led to the 2008 financial meltdown. As Rick Stenberg pointed out in his recent blog, this indicates a clear trend toward increasing shareholder power and of companies and their boards ‘opening channels of communication with shareholders.’ As these channels are opened, an information architecture that provides full transparency into risk exposure and enables information sharing will help to fill the communication gap between the Board and shareholders.

In my last blog post, I mentioned that the new Financial Stability Oversight Council created under Dodd-Frank will collect risk data from various sources including Federal and State financial regulatory agencies and the newly created Office of Financial Research (OFR). The OFR in turn is responsible for collecting risk data from financial services institutions at the behest of the Council. These additional, external information and reporting requests will not only compound the extensive reporting responsibilities of risk committees and risk managers, but will also likely overlap with internal reporting requirements from Boards and executives.

As the Dodd-Frank rulemaking proceeds in the coming years, reacting to each new rule and regulatory requirement with siloed technology and resource investments will clearly not be effective. The financial crisis of 2008 highlighted the interdependency of risks across an enterprise (credit, market, operational) which need to be managed holistically rather than in traditional silos. A siloed approach limits an organization’s ability to streamline risk and compliance processes and reduce costs. It also obscures the opportunity to integrate risk and compliance to gain a comprehensive view of the firm’s risk exposure.

Gordon Burnes commented in a recent blog post that “as companies put in place this information architecture to surface enterprise risk exposure, thinking about interdependencies will be critical to reduce cost.” I’ve worked with numerous OpenPages customers who are actively managing multiple risk and compliance programs on a single framework. The impetus behind these initiatives varies from the need to review enterprise risk and control performance at executive and Board-level meetings, to Federal regulator demands, to the need to simplify and rationalize risk and control assessments. A large, OpenPages financial services customer recently completed the convergence of risk assessments across all risk and compliance programs with the explicit intention of monitoring risk exposure across their business.

Moving forward as new Dodd-Frank requirements emerge, financial services institutions will require a converged information architecture that supports multiple risk and compliance initiatives on a single framework. An integrated risk and compliance framework can reduce the disparate databases and reporting structures, while at the same time meeting internal and external reporting requirements more efficiently. Whatever risk disciplines are significant within your firm, the goal should be to integrate them within a single framework that produces a holistic view of your risk landscape, while meeting the needs of regulatory agencies.

You’ve surely heard about Goldman Sachs’ settlement with the SEC on fraud charges related to the firm’s disclosure, or lack thereof, of a collateralized debt obligation that purportedly was designed to fail. The $550 million to be paid may seem like a lot, and indeed is said to be the largest SEC fine against a Wall Street bank, but many observers maintain that the firm got off easy, especially when the amount is viewed in light of Goldman’s revenue and profits.

But there’s another way in which Goldman seems to have dodged a bullet. While other companies have had to accept a government appointed monitor working inside the organization, Goldman won’t be subject to such meddling. In my mind, avoiding this kind of intrusive interloping is just as big, if not more so, than the manageable size of the fine – especially for a firm as sophisticated as Goldman Sachs.

There is, however, an annual requirement for filing a certificate, for three years, that Goldman is in compliance with the terms of the settlement. Of considerable interest is that the certificate is to be signed by the firm’s general counsel or global head of compliance. Some pundits are saying this makes eminent sense, while others take the position that it should be the CEO or board, who are ultimately responsible for ensuring compliance, to be putting their signature on the dotted line. In any event, all this puts more of a spotlight on chief compliance officers and compliance programs. One former chief compliance officer reportedly said the SEC “seems to be attempting to elevate importance of the chief compliance officer role,” while an active compliance chief says the settlement shows that compliance officers “are becoming true C-suite level executives.”

There’s a lot going on here, and we can expect to see the focus on compliance officers ratcheting up further going forward.

In a recent blog post, OpenPages’ Gordon Burnes pointed out that a major theme of the Dodd Frank legislation is “greater transparency into risk exposure across the financial system.” In fact, there are several major components of the law that will require financial services institutions to collect and report on risk exposure in their business.

The Financial Stability Oversight Council is a new regulatory body created by the law that is tasked with monitoring and regulating companies that are deemed by the Council to be “systemically important.” The Council has the authority to instruct the Federal Reserve to impose new requirements on systemically important companies such as increased capital and liquidity levels as well as disclosing risk practices, regulatory gaps and resolution plans or “living wills.” In its role as systemic risk monitor, the Council will collect risk data from various sources including Federal and State financial regulatory agencies and the newly created Office of Financial Research (OFR) – which will among other things be responsible for collecting data from financial services companies.

The Dodd-Frank law also calls for a Risk Committee to be established by all public, non-bank financial companies, as well as all public, bank holding companies with over $10B in assets under management. Supervised by the Board of Governors of the Federal Reserve, the Risk Committee will be held responsible for enterprise-wide risk management oversight and practices, and be required to include “at least 1 risk management expert having experience in identifying, assessing, and managing risk exposures of large, complex firms.”

To meet these requirements for risk exposure data, financial services institutions need an information architecture that provides full transparency and reporting for the Board, Risk Committee and potentially the OFR. If you’re looking to develop an information architecture that will meet the requirements of Dodd-Frank and new regulations to come, here are a few things to consider:

1. Create a central platform to pull all of the different data elements together and maintain the relationships between elements (RCSA, Loss Events, KRIs, Issue Management, Policy Management, etc.)

2. Establish a common taxonomy and library for policies, processes, risks, controls, regulatory requirements and other key data elements

3. Integrate multiple areas of risk (operational, compliance, strategic, etc.) to provide aggregated analysis and full reporting of all risks across the enterprise

With the passing of the Dodd-Frank Wall Street Reform and Consumer Protection Act, many companies are bracing for the regulatory onslaught. The problem is that few of the provisions in the legislation take effect immediately, and what we’re really facing is much rulemaking from new (e.g. the Consumer Financial Protection Bureau) and existing regulatory bodies. This rulemaking will take place over the next five years, with the bulk of the activity in the next two. So how should financial services companies position themselves?

It is clear that a major theme of the legislation is greater transparency into risk exposure across the financial system. Basel II can be faulted for taking an institutional approach to risk management, and the financial crisis of 2008 clearly revealed gaps in the way regulators assessed and managed risk across institutions. This wave of regulatory rulemaking will try to address those gaps, and, in fact, Treasury Assistant Secretary Michael Barr in a recent speech at the Chicago Club made several references to Basel III, an indication that regulators worldwide will be coordinating on liquidity and capital standards to manage systemic risk.

Regardless, regulators worldwide will still be collecting risk exposure data from institutions. As a first step, institutions can put in place an information architecture that can quickly an accurately serve up risk exposure information, and all financial services institutions need to work on this. The Dodd-Frank law, for instance, creates a Financial Stability Oversight Council that will have the authority to instruct the Federal Reserve and other agencies to collect all sorts of risk exposure data. Most companies know where their current gaps are; these need to be addressed immediately.

The scope of the rulemaking also suggests that we’re going to be in a very dynamic regulatory environment for a long time. As such, covered companies would do well to make sure this information architecture can adapt to change over time. Implementations of static frameworks for regulatory compliance could be obsolete before the project is finished! Any solution must be able to adapt and extend over time.

Finally, as companies put in place this information architecture to surface enterprise risk exposure, thinking about interdependencies will be critical to reduce cost. Inevitably, there will be much overlap between the information requests from different regulatory agencies. Your ability to handle these requests, as well as those from the business, with a minimal set of reports will save you time and resources. An integrated risk and compliance framework can reduce the disparate databases and reporting structures. Of course, you may not be able to consolidate everything onto a single, integrated system, but thinking about pairwise combinations is a good start.

No doubt you know that the Dodd-Frank Wall Street Reform and Consumer Protection Act has been signed into law, with at least some ramifications for every public company. Space here doesn’t permit an overview, and in any event you’ve probably already received highlights of the new law from one or more advisory firms. Among the more interesting aspects of new requirements is how the authority of corporate shareholders has risen, in a number of significant ways:

Say on pay: Shareholders now will get to vote on whether they’re satisfied with executive compensation. And the same holds for so called “golden parachutes” related to such transactions as sales or mergers of the company. While these are only non-binding advisory votes, compensation committees and full boards will certainly think twice before continuing with compensation voted down by the company’s owners – which parties also vote on whether sitting directors should be re-elected going forward. As such, we can expect to see boards more receptive to views of shareholders, especially major ones, on executive compensation programs.

Additional executive compensation disclosures: Public companies also will need to provide more detail about how executives pay relates to the company’s financial performance. Additionally, disclosure will be required of the ratio of the CEO’s total compensation to the average of all other workers’ median total pay. There’s little doubt that shareholders will be focusing closely on this information and reacting to it in the voting process.

Elimination of broker discretionary voting: Now stock exchanges will extend beyond the current NYSE rules, to now prohibit discretionary broker voting in board elections as well as executive compensation and other significant matters. Because brokers typically voted in favor of company initiatives, shareholders will have more say in what transpires.

Proxy access: Perhaps most significant, the SEC is authorized to allow shareholders to use proxy materials to nominate their own directors. While we don’t know exactly what the SEC will do in this regard, we can expect that shareholders will have a greater say in who sits in the boardroom.

These of course are just some of the elements of the new law, which impact ultimately will be determined by numerous studies to be undertaken and regulations to be issued. One thing, however, is clear. Shareholder authority continues to grow, and companies and their boards will continue the trend of opening channels of communication with shareholders.

Tags

A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.